Computer/Information Security blog. Sometimes I will blog about IT too.

Friday, September 4, 2009

Escalating from PHP Hardend Environment

There are number of PHP threats and vulnerabilities which have been reported during the past few years. These include, file inclusion attacks, remote file upload vulnerability, insecure function injection (eval,create_function,preg_replace), etc. Executing malicious shellcode over vulnerable web servers is still easier but it is quiet challenging when "post exploitation" topic is highlighted.

Today many of PHP-based web servers are hardened by default and running with low privileges. Thus, it is extremely challenging for the attacker to gain full control over the server. Let's take a brief overview on common type of protection schemes used to hardened PHP environment:

This happens because we are unable to disabled the internal "allow_call_time_pass_by_reference" function.

2. executor_globals() to find the interesting target, it contains list of functions/ini entries/jmp_buf but the memory position is unknown and it changes the structure with every single PHP version.

3. To execute the user choice of code, function dl() comes in handy but it requires:-platform independent library-a writable directory-enable_dl should be activated-setting extension_dir to the shared library directory

4. Attacking under x86 linux platform:-PHP array leaks the pDestructor pointer which points to PHP code segment-scan until we find ELF header in memory-once ELF header discovered, we can also find imported functions-select the function which have been imported from libc (memcpy)-from there we can look any function within libc and access their addresses-address to shellcode can be written and executed-copying shellcode into the writable text-segment and execute it